In this document, we will learn how to setup an NFS server along with an NFS client which runs autofs(5) version 5. This daemon will fetch his automount maps from our OpenLDAP 2.4 server. The client will then be configured to mount users home directories from the NFS server. All OpenLDAP users DN will be modified to reflect this change. We will also create a central NFS software repository.

Server NFS Configuration

Create a directory in which user's homes will reside (/export/home) and the central software repository (/export/install)

sudo mkdir -p /export/home /export/install

Keep in mind that we need to create a home directory for each users. Since our users are stored in OpenLDAP, we must make sure that the NFS server is also an LDAP client. That means editing the LDAP client file.

LDAP Server Configuration

Now that our NFS server is configured, we need to add the automount schema to our LDAP server. The easiest way to get the schema is to install the autofs package.

sudo yum -y install autofs

This package comes with the required schema.

rpm -ql autofs | grep schema

/usr/share/doc/autofs-5.0.5/autofs.schema

Which means to add the autofs schema, we just need to do the same thing we did with sudo in one of my previous blog post. Start by creating a temporary configuration file. Notice that we need the core.schema in this temporary configuration file. Otherwise we get an error saying : « objectclass: AttributeType not found: "ou" » because the autofs.schema file depends on the "ou" objectClass.

Next, use slapcat(8C) to generate the new autofs schema in LDIF format.

slapcat -f ~/ldap/autofs.conf -F ~/ldap -n 0

The new LDIF schema file is dumped in ~/ldap/cn\=config/cn\=schema/cn\=\{1\}autofs.ldif. As was the case with the sudo schema, we first need to sanitize this new file before we can add it to our OpenLDAP server. A few quick sed(1) commands should do the trick.

Make sure various daemons are started at boot and start them manually. NOTE : I had a problem where idmapd required a complete client AND server reboot for it to work. If it doesn't work for you, try it.

sudo chkconfig rpcbind on

sudo /etc/init.d/rpcbind start

sudo chkconfig nfslock on

sudo /etc/init.d/nfslock start

sudo chkconfig rpcidmapd on

sudo /etc/init.d/rpcidmapd start

Configure the name service switch file so that the automount: keyword uses the ldap directory.

Fix permissions on the file. Otherwise we get this error which is pretty clear :)

automount[4570]: parse_ldap_config: lookup(ldap): Configuration file /etc/autofs_ldap_auth.conf exists, but is not usable. Please make sure that it is owned by root, group is root, and the mode is 0600.

Make sure the automount daemon starts when the client machine boots and start the daemon.

sudo chkconfig autofs on

sudo /etc/init.d/autofs start

Check the server and the client log files. If all is good, then test your configuration.

cd /nfs/install

df -h .

Filesystem Size Used Avail Use% Mounted on

alice.company.com:/export/install

770G 17G 714G 3% /nfs/install

Voilà! Goal number 6 is done!

Install OpenLDAP 2.4.

Configure Transport Layer Security (TLS).

Manage users and groups in OpenLDAP.

Configure pam_ldap to authenticate users via OpenLDAP.

Use OpenLDAP as sudo's configuration repository.

Use OpenLDAP as automount map repository for autofs.

Use OpenLDAP as NFS netgroup repository again for autofs.

Use OpenLDAP as the Kerberos principal repository.

Setup OpenLDAP backup and recovery.

Setup OpenLDAP replication.

In future blog posts, I will show how to use a Kerberos principal and SASL GSSAPI to authenticate the autofs daemon.

Just my take on the /home directories.. I wanted home directories to be auto created, so I did the following:NFS Server -ll /exports:drwxr-xr-x. 4 nfsnobody nfsnobody 4096 May 20 23:46 homedrwxr-xr-x. 2 nfsnobody nfsnobody 4096 May 20 23:01 install

Then in the /etc/exports file:/export/home 192.168.1.0/24(rw,sync,no_root_squash,no_subtree_check)/export/install 192.168.1.0/24(rw,insecure)

Now I can create new users and the first time they log in, they get a home directory setup for them.

That way it avoids the whole creating directories on the NFS server prior to logging into a machine.

Yes I am, it's the default module, pam_mkhomedir.so so there is no configuration required. Well at least on 6.4.

Well your guide has been awesome, I have been going through it and setting up a test lab at home and learning all about ldap. Of course putting my own spin on it all once complete I am going to write it up in puppet scripts as an exercise now that should be amusing. :)

I don't know if pam_mkhomedir.so is the default on all versions of CentOS? But it's clearly a very cool module indeed.

Thanks for the good words, I'm glad I could help! If you do make those Puppet scripts, then would you be so kind as to let me know? I'll link your blog post here so that others have a chance to benefit from your work on Puppet (which is such a great piece of software :)

I've just finished this post, and each step is very clear and well understable, Fabulous !!!Just one point :When I checked my /var/log/slapd.log on final step, client's configuration, and one thing is disturbing me.I mean :<= bdb_equality_candidates: (ou) not indexedconn=1054 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=conn=1054 op=3 SRCH base="ou=auto.master,ou=autofs,ou=services,dc=berok,dc=org" scope=2 deref=0 filter="(objectClass=automount)"

This error will not prevent your OpenLDAP server from working. But ideally, you want to get rid of the error. The trick is to add an index on the ou object. I believe this index is created when you follow this blog post :

OK I understand your answer about missing index on OU object...And of course you're right, again, I didn't create any index as I don't have finish all setups (specialy http://itdavid.blogspot.ca/2012/05/howto-centos-62-kerberos-kdc-with.html which seems to be very important and error's source)...

Hi David,incredible howto, but I stuck in this chapter for a while becouse of "BROWSE_MODE=no". It is worth to say that in this mode mounted directory /nfs appears to be empty but it isn't! We need go directly to exported location using e.g cd /nfs/home to see its content.Oh I lost 2 hours becouse of that... ;)

The first error you're hitting appears to be caused by the absence of the root user within your OpenLDAP directory tree. I'm not sure why? Have you followed the blog articles right from the very first or started at this one?

As for the second error, it may well be an error on my part. But, again, if you've started this blog post from this page and did not follow all the instructions from the very start, then you might have missing pieces. This OpenLDAP blog series is meant to be followed from the start.

Ravindra. I got the additional info: SASL(-13): user not found: checkpass failed a couple times, not for your specific issue, but following along this tutorial.

What David wrote in the blog to do was: sudo ldapmodify -a -H ldapi:/// -f ~/ldap/posixAccount.indexes.ldifThat returned the error: SASL(-13): user not found: checkpass failedSo I appended the command to sudo ldapmodify -a -Y EXTERNAL-H ldapi:/// -f ~/ldap/posixAccount.indexes.ldifThat seemed to do the trick.